Safe Harbor Replacement Approved By European Commission

On 12 July 2016, only 9 months after the invalidation of the Safe Harbor, the European Commission (EC) formally adopted a decision confirming the adequacy of its replacement - the EU-U.S. Privacy Shield. US organisations may self-certify to the standards set out in the Privacy Shield from 1 August 2016.

EU and US negotiators spent 2 years developing the Privacy Shield, first publishing details of the scheme in February 2016. Since then it has been revised, not least to address concerns raised by the Article 29 Working Party (the group of EU data protection authorities and the European Data Protection Supervisor), which issued a critical opinion regarding the Privacy Shield on 13 April see here >.

Changes made to the final form of the Privacy Shield, as compared to the February draft, include the following:

Clarification of the rules on data retention.

Additional clarification as to when bulk collection of data may occur and what distinguishes it from mass surveillance.

Further onward transfer rules so that onward transferees located outside the EU and US have to adhere to the Privacy Shield's principles.

Clarification that the Ombudsperson who will oversee operation of the Privacy Shield will be independent of US intelligence services.

It remains to be seen whether these changes will be sufficient to gain the approval of EU data protection regulators. The A29WP is to issue a revised opinion on 25 July. Although it cannot veto the Shield, its members will have to consider any subsequent complaints made to them in relation to its use.

Businesses which are interested in using the Privacy Shield to legitimise their trans-Atlantic data transfers will therefore be very interested in what the A29WP has to say. One regulator, the Irish DPA, is reported to have already suggested, during Irish court hearings regarding the use of EC standard contract clauses (SCCs) by Facebook, that the legality of the Privacy Shield should also be assessed by the Court of Justice of the EU (CJEU) along with SCCs. So interested businesses need to be aware that the scrutiny to which Safe Harbor was put could also be applied to its replacement.

What is the Privacy Shield?

The Privacy Shield is a new mechanism which allows companies to provide adequate protection for personal data when transferring the data from the EU to the US. It relies a similar approach of self-certification or outside verification against compliance with certain privacy principles as was used by Safe Harbor. There are seven privacy principles that must be adhered to: Notice; Choice; Accountability for Onward Transfer; Security; Data Integrityand Purpose Limitation; Access;and Recourse Enforcement and Liability. Whilst the principles are broadly similar to those under Safe Harbor some, notably the Notice and Accountability for Onward Transfer, go further than their Safe Harbor equivalents.

Changes made to the final form Privacy Shield

Below are some of the key changes made to the Privacy Shield to meet the A29WP's concerns:

Clarification on Data Retention: the rules on Data Integrity and Purpose Limitation have been clarified. Personal data processing must be: limited to what is relevant given the purposes for which the data was obtained; reliable for its intended use; accurate; complete; and current. In particular, personal data can be retained only for so long as is necessary given the purposes for which it was originally collected or subsequently authorised;

Mass and indiscriminate data collection by US Intelligence Agencies: the Office of the Director of National Security has provided further clarity around the "bulk collection" of data for intelligence purposes, a key A29WP concern. Bulk collection is described as the acquisition of a relatively large volume of intelligence data where the intelligence agency cannot use an identifier associated with a specific target (for example email address or telephone number). However the US state that bulk collection is neither 'mass' nor 'indiscriminate': it is carried-out under specific pre-conditions and must be as targeted and focussed as possible (for example in respect of identified legitimate targets);

Onward Transfers: where onward transfers are made to third parties who act as either a controller or processor, the recipient must contractually agree to notify the data exporter if they can no longer meet their obligations to provide the same level of protection as required by the Privacy Shield principles. Also, the Privacy Shield principles are to apply to such sub-processors. These rules add to the existing restrictions on onward transfers contained in the Privacy Shield which provide that any onward transfers must only be for limited and specified purposes and on the basis of a contract in which the transferee agrees to provide the same level of protection as that afforded under the Privacy Shield principles;

Independence of the Ombudsperson: the Ombudsperson is stated to be independent of US intelligence services and will report directly to the Secretary of State who is to ensure that she carries out her functions free from improper influence. In addition, co-operation with oversight bodies with investigatory powers (such as Inspector Generals or the Privacy and Civil Liberties Oversight Board) is stated to ensure that the Ombudsperson has access to the expertise necessary to fulfil her role; and

Periodic Review: under the revised arrangement, the US commits to inform the EC of material developments in US law where relevant to the Privacy Shield and similarly the EC is to assess the level of protection provided by the Privacy Shield following the entry into force of the GDPR in May 2018. It seems inevitable that changes will need to be made to the Privacy Shield's principles to upgrade them to a GDPR level of compliance.

How to sign-up for Privacy Shield

In order to adopt the Privacy Shield, an organisation must be subject to the investigatory and enforcement powers of the FTC, the US Department of Transport or another statutory body agreed to by the EC. These bodies will oversee compliance with the Privacy Shield principles. So, as was the case for Safe Harbor, US businesses operating in certain sectors (such as financial services and telecommunications) are not currently eligible to participate.

To self-certify for the Privacy Shield, an organisation must, amongst other things, file a submission signed by a corporate officer confirming compliance with the Shield's principles. A full and publicly available privacy policy must also be published, as must contact details for the handling of complaints and subject access requests, and details of the independent recourse mechanism that is available to investigate unresolved complaints.

We expect that further information on how to self-certify to the Privacy Shield will be provided on the US Department of Commerce's website in the coming weeks.

Our view of the EU-US Privacy Shield

Whilst agreement on the EU-US Privacy Shield will be welcomed by many, it remains to be seen whether the finalised arrangement will meet the concerns of the A29WP. Attention now turns to the publication of its opinion at the end of July.

Whatever its opinion is, it seems likely that the effectiveness of the Privacy Shield to meet EU data transfer laws will be challenged through the Courts at some stage.

Whilst that may leave some cautious about using the Privacy Shield as part of their EU data transfer compliance programmes, the increased administrative burden associated with other compliance mechanisms, such as SCCs, SCC's unsuitability for certain business models (e.g. where there is no EU based data controller to sign the clauses) and the uncertainty surrounding SCC's future, means that we wouldn't discount the Privacy Shield. The Shield could prove a useful element (alone or with other transfer compliance solutions) of an organisation's compliance programme.

An interesting point to note if you are considering using the Privacy Shield. It's Accountability for Onward Transfer principle requires organisations to commit to various supplier flow down undertakings, for instance those highlighted above. However, a grace period of nine months is granted to those who certify to the Shield within two months of it becoming effective. Thereafter, applicants must certify to full conformity with this and all other Shield principles as of the day that their application is made. So, for some, there may be an advantage in making a quick application for the Privacy Shield.